Important Operating System Characteristics for Safe and Secure Applications

Modern operating systems are the foundation of most
sophisticated computing platforms. Operating systems manage the computing
resources (such as memory, input/output and the central processing unit itself)
so that applications can properly employ these resources to perform their
required functions. When computing platforms are used in applications where
safety or security is paramount, special requirements may need to be addressed.

Modern microprocessors and operating systems provide memory
protection that helps developers identify and contain application faults. In
avionics systems, operating systems also provide time partitioning so that
multiple applications can execute on a single CPU. Standards such as ARINC 653
have been published that
define services an operating system shall provide when used in an environment
with multiple applications. Additionally, developers use RTCA DO-178B and, in
Europe, EUROCAE ED-12B as guidance documents to ensure their software complies
with safety requirements. For applications with security requirements, the ISO
15408 standard is used for certification. The following paragraphs detail these standards and the operating system
characteristics essential in deploying these kinds of systems.

RTCA DO-178B and DO-178C

Software used in avionics systems is generally certified
to meet requirements of RTCA DO-178B. RTCA Inc. developed RTCA DO-178B as a
guidance document that recognizes the various degrees to which software
functions may impact safety. DO-178B was published in 1992, and the newest
version, DO-178C, will be published in 2011. Developers who comply with DO-178B
requirements will not need to make any
changes to comply with the upcomingDO-178C revision. However, DO-178C extends
the utility of DO-178B and fully embraces requirements for certification
of object-oriented software, formal methods of verification, model-based design
and qualification of tools.

Both DO-178B and DO-178C define five levels of software
criticality, which relates to how latent software defects can contribute to a
failure condition. The effort required to certify software to DO-178B or
DO-178C depends on the software criticality level and hence the number of
objectives required. Table 1 shows the failure conditions, with the relevant
DO-178B software levels, and the number of objectives required to satisfy the
requirements of each level. Level E software is not considered safety-critical
and has no objectives assigned.

One of the key aspects of DO-178B is the notion of fully
verifying software requirements. This means software developers need to explore
all the defined behavior of the software, which includes verification of the
underlying operating system and board support package (BSP). Airborne
applications, such as display systems, flight control systems and navigation
equipment, are considered to be the most safety critical; and here is where operating
system functionality plays a key role of potentially providing the ability to
expose and contain faults. This means a lot of robustness testing, analysis and
verification are needed to ensure that fault containment is guaranteed under a
wide range of error conditions and system states.

Developers need to compose a detailed set of tests and analyses
to demonstrate that handling of priorities, message queues, and resources such
as memory and input/output devices are correct. Additionally, time and space
partitioning provided by the OS will need to be verified, including timing
analyses (a time budget outline of kernel services and critical sections of
code), a partitioning analysis (addressing software control coupling, data
coupling and interactions between partitioned components), and a stack analysis
(showing that a stack overflow cannot occur under various conditions and
inputs), among other things.

Integrated Modular Avionics

Integrated Modular Avionics (IMA) is an architecture that
supports one or more applications, potentially at varying levels of DO-178B
certification, on a single computing platform enabled by a time and space
partitioned operating system. Some of the benefits of an IMA architecture
include reduced weight, improved modularity, increased reusability, and the
potential to support multiple software teams and suppliers. If an IMA
architecture uses mixed DO-178B software levels, the verification scrutiny
increases because an uncertified application may share virtual and physical resources
with highly critical applications. The operating system needs to be highly
robust to ensure that temporal, spatial and resource partitioning requirements
are met. A graphic of an IMA design is given in Figure 1.

In Figure 1 the IMA architecture shows an ARINC 653 OS that runs
in supervisor mode and provides hardware memory management unit (MMU)
partitioning of memory, time and I/O resources. The ARINC 653 operating
environment provides applications with a full set of operating system services
and the basic functionality needed to support the underlying hardware. Within
each partition, the applications execute in user mode completely isolated from
other applications. Figure 1 shows three applications at different levels of
DO-178B criticality. The ARINC 653 Application Executive (APEX) enables each
application to work as if it has exclusive use of the platform, when in fact it
is sharing the platform with other applications.

ARINC 653

ARINC 653 (titled Avionics Application Standard Software
Interface) is a standard that defines the services that an IMA operating system
should provide to applications and supports the concepts of modularity,
reusability, and portability of both applications and operating systems. Most
commercial and military aircraft produced by Boeing and Airbus are now designed
using IMA, demonstrating that modern computing platforms can meet stringent
safety requirements and have multiple suppliers provide software that operates
on a shared computing platform. Moreover, IMA is now being extended to meet not
only safety requirements but security requirements, as well.

Avionics and ISO 15408 Security

Most often one thinks of avionics and security solely in
terms of military aviation (e.g., a military transponder or communication
radio). Consider that airborne communication, navigation and collision
avoidance systems today often rely on information from remote sources making
them vulnerable to unauthorized external influences that can affect both safety
and security. The need for both safety and security pairs requirements for RTCA
DO-178B with requirements from the Common Criteria. The Common Criteria, also
known as ISO 15408, is a framework that is used to address security
requirements in information technology products.

The evaluation of security software through the Common Criteria
defines "evaluation assurance levels" (EAL 1-7) that indicate the process rigor
associated with the development of an information technology product:

EAL 1: Functionally tested

EAL 2: Structurally tested

EAL 3: Methodically tested and checked

EAL 4: Methodically designed, tested and reviewed

EAL 5: Semiformally designed and tested

EAL 6: Semiformally verified, designed and tested

EAL 7: Formally verified, designed and tested

The actual EAL required for a given software application depends
upon the security threats to the system and its software. An example of an
avionics system that requires both safety and security approvals is a global
positioning system (GPS) receiver for military applications. There may be
special modes of operation where software in the GPS receiver may process
classified information. Historically, these special functions would be
accomplished using software on separate microprocessors so no classified information
would be shared outside of that processor.

Both classified and unclassified functions can be executed on a
single processor using a separation kernel with a similar time and space
scheduling architecture to ARINC 653 as depicted in Figure 2.

The functions are partitioned into virtual containers, and
communication between these functions is handled by the separation kernel (a
small but verifiable time and space partitioned operating system). In this
example, three levels of classification are depicted Top Secret, Secret and
Unclassified functions that would require Common Criteria evaluation anywhere
to EAL 6 or 7. The Separation kernel not only provides hardware MMU
partitioning but also controls information flow, time partitioning and damage
limitation.

The evolution of software
design in airborne applications has led to the use of IMA architectures to meet
safety and security requirements. Software applications such as display
systems, flight control systems and navigation functions can be designed to
share hardware resources such as the CPU, memory, and hardware interfaces
through the use of a time and space partitioned operating system. Standards
such as ARINC 653 and RTCA DO-178B, RTCA DO-178C and ISO 15408 are used to
balance challenging operating system requirements and safety and security
certification requirements. The operating systems used in IMA architectures
must support robust time and space partitioning, as well as fault containment
and isolation. Rigorous analyses and tests are required to show compliance with
DO-178B and Common Criteria requirements for security.Joe Wlad is senior director, Aerospace & Defense for
Wind River.

A few weeks ago, Ford Motor Co. quietly announced that it was rolling out a new wrinkle to the powerful safety feature called stability control, adding even more lifesaving potential to a technology that has already been very successful.

It won't be too much longer and hardware design, as we used to know it, will be remembered alongside the slide rule and the Karnaugh map. You will need to move beyond those familiar bits and bytes into the new world of software centric design.

People who want to take advantage of solar energy in their homes no longer need to install a bolt-on solar-panel system atop their houses -- they can integrate solar-energy-harvesting shingles directing into an existing or new roof instead.

Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.